Improved Ring LWR-Based Key Encapsulation Mechanism Using Cyclotomic Trinomials

In the field of post-quantum cryptography, lattice-based cryptography has received the most noticeable attention. Most lattice-based cryptographic schemes are constructed based on the polynomial ring R q Z q [x]/f(x) , using a cyclotomic polynomial f(x). Until now, the most preferred cyclotomic polynomials have been xn+1 , where n is a power of two, and xn+ ˙ +x +1 , where n+1 is a prime. The former results in the smallest decryption error size, but the choice of degree is limited. On the other hand, the latter gives rise to the largest decryption error size, but the choice of degree is very flexible. In this paper, we use a new polynomial ring R q= Zq/f(x) with a cyclotomic trinomial f(x)=xn-x n/2+1 as an intermediate that combines the advantages of the other rings. Since the degree n is chosen freely as n=2a3b for positive integers a and b , the choice of the degree n is moderate. Furthermore, since the error propagation is small in the middle of polynomial multiplication in the new ring, if the middle part is truncated and used, the decryption error size can be reduced. Based on these observations, we propose a new, practical key encapsulation mechanism (KEM) that is constructed over a ring with a cyclotomic trinomial. The security of our KEM is based on the hardness of ring learning-with-rounding (LWR) problems. With appropriate parameterization for the current 128-bit security model, we show that our KEM obtains shorter secret keys and ciphertexts, especially compared to the previous Ring-LWR-based KEM, Round5, with no error correction code. We then implement our KEM and compare its performance with that of several KEMs that were presented in the second round of the NIST PQC conference.